https://community.cisco.com/t5/network-security/crypto-acl/m-p/895460#M958718 <HTML><HEAD></HEAD><BODY><P>You do not want to specify port in your crypto acl's. You have a few options. One is to remove "sysopt connection permit-vpn". This means you would have to write all of your vpn access in your interface acl's. </P><P></P><P>no sysopt connection permit-vpn</P><P>access-list 111 extended permit ip host 192.168.178.11 host 10.5.1.2 </P><P>access-list outside_access_in permit tcp host 192.168.178.11 host 10.5.1.2 eq telnet</P><P>access-group outside_access_in in interface outside</P><P></P><P>Two is to create a vpn-filter and assign it to the group policy for the tunnel group. See this document...</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml</A></P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 13 Dec 2007 18:42:08 GMT acomiskey 2007-12-13T18:42:08Z https://community.cisco.com/t5/network-security/crypto-acl/m-p/895459#M958717 <P>Hi @all,</P><P></P><P>i've a l2l vpn between 2 pixes [7.2(2)]. Now i'm trying to limit the vpn traffic to telnet (biderectional). I've tried it with the acl:</P><P>pix1:</P><P></P><P>access-list 111 line 1 extended permit tcp host 192.168.178.11 range 1024 65535 host 10.5.1.2 eq telnet</P><P></P><P>pix2:</P><P></P><P>access-list 111 line 1 extended permit tcp host 10.5.1.2 range 1024 65535 host 192.168.178.11 eq telnet</P><P></P><P>When i'm try to connect via telnet form 192.168.178.11 - pix1 - pix2 - 10.5.1.2 the following error occurs on pix2:</P><P></P><P>Received remote Proxy Host data in ID Payload: Address 192.168.178.11, Protocol 6, Port 27338</P><P>Dec 13 18:23:01 [IKEv1 DEBUG]: Group = 10.2.1.1, IP = 10.2.1.1, processing ID payload</P><P>Dec 13 18:23:01 [IKEv1 DECODE]: Group = 10.2.1.1, IP = 10.2.1.1, ID_IPV4_ADDR ID received</P><P>10.5.1.2</P><P>Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Received local Proxy Host data in ID Payload: Address 10.5.1.2, Protocol 6, Port 23</P><P>Dec 13 18:23:01 [IKEv1 DEBUG]: Group = 10.2.1.1, IP = 10.2.1.1, processing notify payload</P><P>Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, QM IsRekeyed old sa not found by addr</P><P>Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Static Crypto Map check, checking map = TELNET, seq = 1...</P><P>Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Static Crypto Map check, map = TELNET, seq = 1, ACL does not match proxy IDs src:192.168.178.11 dst:10.5.1.2</P><P>Dec 13 18:23:01 [IKEv1]: Group = 10.2.1.1, IP = 10.2.1.1, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.178.11/255.255.255.255/6/27338 local proxy 10.5.1.2/255.255.255.255/6/23 on interface outside</P><P></P><P>Isn't it possible to restrict the "VPN-Traffic"?</P><P></P><P>If i change the acl's to:</P><P></P><P>access-list 111 line 1 extended permit ip host 192.168.178.11 host 10.5.1.2</P><P></P><P>and</P><P></P><P>access-list 111 line 1 extended permit ip host 10.5.1.2 host 192.168.178.11</P><P></P><P>than the vpn tunnel works without any problems, but, sure, not only allowing telnet traffic to be encrypted.</P><P></P><P>What didn't i consider?</P><P></P><P>TIA</P><P></P><P>Tom</P> Wed, 13 Mar 2019 00:50:31 GMT https://community.cisco.com/t5/network-security/crypto-acl/m-p/895459#M958717 i.anfrage 2019-03-13T00:50:31Z https://community.cisco.com/t5/network-security/crypto-acl/m-p/895460#M958718 <HTML><HEAD></HEAD><BODY><P>You do not want to specify port in your crypto acl's. You have a few options. One is to remove "sysopt connection permit-vpn". This means you would have to write all of your vpn access in your interface acl's. </P><P></P><P>no sysopt connection permit-vpn</P><P>access-list 111 extended permit ip host 192.168.178.11 host 10.5.1.2 </P><P>access-list outside_access_in permit tcp host 192.168.178.11 host 10.5.1.2 eq telnet</P><P>access-group outside_access_in in interface outside</P><P></P><P>Two is to create a vpn-filter and assign it to the group policy for the tunnel group. See this document...</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml</A></P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 13 Dec 2007 18:42:08 GMT https://community.cisco.com/t5/network-security/crypto-acl/m-p/895460#M958718 acomiskey 2007-12-13T18:42:08Z https://community.cisco.com/t5/network-security/crypto-acl/m-p/895461#M958719 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>ok, that helps. as i'm used to work with checkpoint i thought it would be able to handle it in the corresponding crypto acl. </P><P>so many thanks for your help.</P><P></P><P>br</P><P></P><P>tom</P></BODY></HTML> Fri, 14 Dec 2007 09:24:46 GMT https://community.cisco.com/t5/network-security/crypto-acl/m-p/895461#M958719 i.anfrage 2007-12-14T09:24:46Z